Firstly I wanted to say how much I have enjoyed my recent discovery of the Lawrence Systems YouTube channel. There is some excellent content which I have found to be very interesting - even if I am a bit late to the party!
My background (briefly) - I’ve worked in IT for close to 35 years and for a 17 year period I worked for a UK-based consultancy dealing with firewalls and other security solutions so I got my hands quite dirty in this area. I did have some larger installations to look after but many were mid sized or smaller (100 users or less). I started off with Borderware (now owned by Watchguard), moved to Secure Computing Sidewider (which later became McAfee Firewall Enterprise and was subsequently sold off to Forcepoint), and in the latter years also did a fair amount of work with SonicWALL. Each has its pro’s and con’s but the thing that was always different was how they handled NAT. Thanks to my contacts in the industry I ended up getting a small SonicWALL appliance on my home network which I continue to run to this day.
I left that area of the industry in 2014, returning to normal IT because I used to be ‘on the road’ and for family reasons needed to revert to something operating from a fixed location.
Anyway, having always retained an interest in Firewalls even though it hasn’t been my day-to-day job for nearly 8 years, I decided to have a play around with pfsense on my old home lab which hadn’t really been used in earnest since I was last doing this type of job.
While the previously-mentioned firewalls I used to work with each had their own way of performing NAT it was possible to create a NAT configuration from one network to another (most commonly WAN to LAN) that performed NAT on the destination IP (the basic function port forwarding in pfsense it would seem) and also translate the port number (e.g. accept the connection on the WAN interface on port 8080 and forward it to the destination IP on port 80). However, I would also have the option to be able to apply NAT translation to the source IP address in the connection as well meaning that the destination server would see the connection as if it has come from the IP address of the LAN interface of the firewall, not the actual IP address of the client device.
e.g.
‘Client’ IP - 192.168.100.50
Firewall WAN IP - 192.168.100.1
Firewall LAN IP - 10.1.1.1
‘Server’ IP - 10.1.1.100
I’ve created a NAT policy for SSH and it works just fine. On my client machine, I can SSH to 192.168.100.1 and the connection is passed through to the ‘server’ on 10.100.1.100
When I look at a tcpdump on the LAN interface pfsense host itself I can see the traffic passing through and it shows the source IP address as 192.168.100.50.
However, for no reason in particular other than to see if it is possible, can pfsense be configured where I can have a port forwarding rule in place that in addition to NATing the destination IP & port is also NAT the source address so that the ‘Server’ believes the connection has actually come from 10.100.1.1 instead of 192.168.100.50?
I’ve looked at the pfsense port forwarding NAT configuration screen and can’t seem to find anything that could allow me to configure source address NAT. I don’t know if it is because I am looking in the wrong place and that source NAT is handled elsewhere or if source NAT isn’t possible on pfsense.
Many thanks in advance.
-Phil.